import libgcrypt-1.10.0-8.el9_0

2 years ago · 4418c5bc3c
parent 271df921f4
commit 4418c5bc3c
3 changed files with 34 additions and 37 deletions
--- a/SOURCES/libgcrypt-1.10.0-allow-short-salt.patch
+++ b/SOURCES/libgcrypt-1.10.0-allow-short-salt.patch
@ -48,4 +48,30 @@ index c98247d8..aee5bffb 100644
 -- 
 2.37.1
 commit 02718ade6ab5eee38169c2102097166770a2456d
 Author: Jakub Jelen <jjelen@redhat.com>
 Date:   Thu Oct 20 16:33:11 2022 +0200
    visiblity: Check the HMAC key length in FIPS mode
    ---
    * src/visibility.c (gcry_md_setkey): Check the HMAC key length in FIPS
      mode also in the md_ API.
    Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 diff --git a/src/visibility.c b/src/visibility.c
 index 150b197d..73db3dea 100644
 --- a/src/visibility.c
 +++ b/src/visibility.c
@@ -1357,6 +1357,10 @@ gcry_md_setkey (gcry_md_hd_t hd, const void *key, size_t keylen)
 {
   if (!fips_is_operational ())
     return gpg_error (fips_not_operational ());
 +
 +  if (fips_mode () && keylen < 14)
 +    return GPG_ERR_INV_VALUE;
 +
   return gpg_error (_gcry_md_setkey (hd, key, keylen));
 }
--- a/SOURCES/libgcrypt-1.10.0-fips-kdf.patch
+++ b/SOURCES/libgcrypt-1.10.0-fips-kdf.patch
@ -1,36 +1,3 @@
 From 857e6f467d0fc9fd858a73d84122695425970075 Mon Sep 17 00:00:00 2001
 From: NIIBE Yutaka <gniibe@fsij.org>
 Date: Tue, 27 Sep 2022 13:26:16 +0900
 Subject: [PATCH] kdf:pkdf2: Require longer input when FIPS mode.
 * cipher/kdf.c (_gcry_kdf_pkdf2): Add length check.
 --
 GnuPG-bug-id: 6039
 Fixes-commit: 58c92098d053aae7c78cc42bdd7c80c13efc89bb
 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 ---
 cipher/kdf.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/cipher/kdf.c b/cipher/kdf.c
 index 3e51e115..81523320 100644
 --- a/cipher/kdf.c
 +++ b/cipher/kdf.c
@@ -160,6 +160,9 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen,
     return GPG_ERR_INV_VALUE;
 #endif
 +  /* HMAC requires longer input for approved use case.  */
 +  if (fips_mode () && passphraselen < 14)
 +    return GPG_ERR_INV_VALUE;
   /* Step 2 */
   l = ((dklen - 1)/ hlen) + 1;
 -- 
 2.37.3
 From 3c04b692de1e7b45b764ff8d66bf84609b012e3a Mon Sep 17 00:00:00 2001
 From: Tobias Heider <tobias.heider@canonical.com>
 Date: Tue, 27 Sep 2022 13:31:05 +0900
@ -58,9 +25,9 @@ index 81523320..67c60df8 100644
 +  if (fips_mode () && dklen < 14)
 +    return GPG_ERR_INV_VALUE;
 +
-   /* HMAC requires longer input for approved use case.  */
+ 
-   if (fips_mode () && passphraselen < 14)
+   /* Step 2 */
-     return GPG_ERR_INV_VALUE;
+   l = ((dklen - 1)/ hlen) + 1;
 -- 
 2.37.3
 From e5a5e847b66eb6b80e60a2dffa347268f059aee3 Mon Sep 17 00:00:00 2001
--- a/SPECS/libgcrypt.spec
+++ b/SPECS/libgcrypt.spec
@ -16,7 +16,7 @@ print(string.sub(hash, 0, 16))
 Name: libgcrypt
 Version: 1.10.0
-Release: 7%{?dist}
+Release: 8%{?dist}
 URL: https://www.gnupg.org/
 Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2
 Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig
@ -197,6 +197,10 @@ mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt
 %license COPYING
 %changelog
 * Thu Oct 20 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-8
 - Fix unneeded PBKDF2 passphrase length limitation in FIPS mode
 - Enforce HMAC key lengths in MD API in FIPS mode
 * Thu Oct 06 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-7
 - Properly enforce KDF limits in FIPS mode (#2130275)
 - Fix memory leak in large digest test (#2129150)